Cookie Notice: This site uses cookies to provide you with a more responsive and personalized service. By using this site you agree to our use of cookies. Please read our Cookie Notice for more information on the cookies we use.

Star Wars reveals the dark side of cybersecurity

In seven Star Wars movies, the demise of the empire is caused by a lack of adequate cybersecurity measures. You've been warned: Here are some examples — but not from a galaxy far, far away.

Over the holidays, my family and I went to the theatre to see Star Wars: The Force Awakens. Not only did we watch Episode VII, but we also revisited the previous six movies. What was my big takeaway after watching seven Star Wars movies in a matter of weeks? Simple. In each movie, the demise of the empire is caused by a lack of adequate cybersecurity measures.

Unfortunately, the lack of cybersecurity isn’t just a problem for a galaxy far, far away — it’s a very real problem happening in our own backyard. Here are a few examples, both from the movies and from real life.

Lack of encryption: In Episode IV: A New Hope, the Death Star’s blueprints aren’t encrypted, allowing the rebels to access its plans. This reminds me of a cybersecurity breach that happened right here on earth. Just last year it was revealed that, on two occasions, Chinese hackers accessed background forms completed by over 20 million current and former prospective federal employees and contractors. Looks like both the Death Star and the federal government would benefit from better encryption software.

Unsecured ports: Also in Episode IV, R2D2 is able to connect to a network port on the Death Star and control the trash compactor that’s about to crush Luke, Leia, Han Solo, and Chewbacca. It appears R2D2 gained administrator-level access by connecting to the ship’s network. While that worked out in the rebel alliance’s favor, this is a common problem today. For example, the IRS provided the web service, “Get Transcripts,” as an easy way for taxpayers to download tax returns. Between February and May of 2015, hackers gained access to this service and downloaded more than 200,000 taxpayer returns, claiming tax refunds from 15,000 of them.

Lack of security controls in systems: Most systems on the Death Star lacked security controls. Once the rebels mapped out the Death Star and its critical infrastructure, they were able to access the sensitive areas and systems to destroy them. We also see this in real life. In 2014, 76 million customer records were compromised at JP Morgan Chase. The hackers gained access to JP Morgan applications and identified known vulnerabilities in each system, including web applications to identify entry points into the bank’s systems.

Trojan horse: The Death Star locked in on the Millennium Falcon and pulled it into bay 327, thus allowing a Trojan horse inside the ship. This allowed Luke, Hans, and Obi-wan into the Death Star, bypassing all physical controls. Eventually, they destroyed the Death Star and saved Princess Leia. This reminded me of the malicious Trojan Horse software embedded into Target’s point-of-sale system, compromising 40 million credit and debit card numbers in 2014.

Still not convinced that the empire is lacking in the cybersecurity department? Consider the following:

The Death Star has zero intrusion detection systems. There were no alarm bells when R2D2 accessed the network or even when Obi-wan was shutting down power to the tractor beam.

The rebels, and even the Empire, destroyed the Death Star’s primary power source, and there wasn’t a backup source supporting the system.

There wasn’t anyone in charge of cybersecurity on the Death Star.

It’s likely that the early Star Wars movies didn’t have proper cybersecurity controls because, in reality, they really didn’t exist yet. But considering the cybersecurity advancements here on earth, I was expecting that, in the new movie, the Empire would not only have better security controls, but also a futuristic approach to cybersecurity. While I enjoyed the movie, the lack of cybersecurity was a letdown (or, in the words of Darth Vader, “disturbing”).

This content originally appeared at crainsdetroit.com and crainscleveland.com and is part of a special blog series on cybersecurity.